UK Data Compliance Standards (And How to Meet Them)
Large fines are being handed out all the time to firms that breach data protection laws. Here’s what you need to know so your company is not penalised.
6th October 2020
Share this Blog post
Companies and organisations are legally obliged to handle and store the data they work with relating to customers, clients or anyone else in a certain way — and if they don't follow the rules, they can face steep fines. It can seem like there's a growing number of data compliance standards that UK firms have to follow. In this post, we'll look at the main standards and what you have to do to avoid falling foul of the law and being penalised.
The Data Protection Act 2018
The Data Protection Act 2018 (DPA) sets out "data protection principles" that all companies, organisations and the government must follow when using personal information. These stringent rules are based on the EU's General Data Protection Regulation, which the UK implemented until they combined them with the DPA. There are some differences, however, relating to data usage by law enforcement and the age at which minors can consent to their data being used.
To comply with the Data Protection Act, entities can only use personal data in a fair and transparent way. This information can only be used for a specific intended purpose — and not for something else that the person who gave their data might not be aware of. All personal data stored by companies and organisations has to be kept up to date, so it's accurate at all times. It can only be stored for a certain period, which is the length of time required to use it.
Maximum fine for breach of the Data Protection Act 2018: £500,000.
General Data Protection Regulation (GDPR)
GDPR is the strictest legislation covering personal data in the world. Although the UK has left the EU, most of what's in the General Data Protection Regulation (GDPR) remains enshrined in law, forming the body of the Data Protection Act 2018. GDPR doesn't just apply to the UK and wider EU members, but the entire world — anyone outside the EU's jurisdiction doing business with a member state is subject to its terms. It came into effect in May 2018 to deal with the popularity of cloud services among firms to store and use personal data, and breaches of security that allow hackers to steal information.
GDPR stems from the 1950 European Convention on Human Rights that says “Everyone has the right to respect for his private and family life, his home and his correspondence”. At the time, the EU admitted that complying with GDPR would be a "daunting prospect", especially for small and medium-sized firms. So what does it cover?
GDPR states that processing personal information relating to anyone in the EU should be:
Done in a fair, transparent and lawful manner.
Limited, in that the data can only be used for a specific purpose and one conveyed to the person whose data is to be used.
Accurate and updated as necessary.
Stored for only as long as it's needed.
Confidential — including when the personal information is being used and stored. This can involve encryption methods.
Accountable, meaning the holder of the data must be able to demonstrate they meet all of these requirements.
Maximum fine for breach of the Data Protection Act 2018: €20 million or 4% of global revenue — whichever is higher.
Apart from these two sets of robust legislation covering personal data usage in the UK, what other regulations are there?
Companies operating in the UK are also subject to the Privacy and Electronic Communications Regulations (PECR) governing phone calls, emails and texts for marketing purposes, as well as cookies placed on websites. The regulations came into force in 2003 and are also based on EU legislation. They have requirements for keeping communications secure, customer privacy and itemised billing.